If you’re a developer closing in on a decision about which payment provider to recommend for your company, you’re probably investigating the payment gateway architecture/technology of a number of different providers. Putting functional parity aside and calling all gateways equal from a “product” perspective, there are some architectural and technical characteristics that make some gateways stand out from the pack. We’ll outline those briefly in this article along with how BlueSnap fits the bill in hopes of making your investigative work short and sweet.
Want to make your customers’ lives easier when it comes to checking out? Find out where your checkout process might be missing the mark with this simple questionnaire.
Payment Gateway Architecture: Five Essential Elements
There are five areas a developer should look into from an architectural/technical perspective when deciding on a gateway:
1. PCI compliance.
If the payment gateway handles credit/debit card transactions, you will need to be compliant with the The Payment Card Industry Data Security Standard (PCI-DSS). That is a requirement of the card schemes (VISA, Mastercard, etc.). Any gateway vendor that indicates you do not need to be PCI compliant is not following the rules; my advice is to walk away.
PCI compliance comes with a heavy cost and burden. Fortunately, there are various levels of PCI compliance depending on how you “handle” card data. The least costly PCI level is called SAQ-A where, in essence, you (as a merchant) never have access to card data and deal with card payments using a token (provided by the gateway) in lieu of the card. So you should ask your gateway provider the following questions:
- What type of PCI compliance level would the gateway provide?
- Do they provide an integration method that puts you under SAQ-A scope? (That’s the level you want if your organization is not PCI-savvy.)
- Can you still accomplish all the functionality your business needs under your desired PCI scope?
How BlueSnap does it: BlueSnap provides you various ways of integration to accomplish any PCI scope your organization is comfortable with, including SAQ-A. Furthermore, to assist you with accomplishing and reporting your compliance, we partner with SecurityMetrics—a PCI specialist firm—to work with you on PCI compliance and make it as painless as possible. The SecurityMetrics service is free of charge to you.
2. The currency of the architecture.
Payment gateways have been around for decades. Some gateways have revamped their architecture and invested in their platform but others continue to lag behind. Those that lag behind show a lack of commitment and innovation (in my opinion). You should make it a point to investigate the software and architecture stack utilized by the payment provider to get an idea of how innovative they are. Ask the following of your provider:
- What language is the gateway written in?
- Is the API consistent with modern practices?
- What technology stack is the gateway built on?
How BlueSnap does it: BlueSnap uses a Spring based Java framework running on Linux OS. We invested heavily in our technology stack to ensure a leading edge platform that is scalable and stable. We provide RESTful APIs and continue to extend our offering to keep it modern and in line with today’s best practices.
3. The frequency of improvements.
Payment providers that update their gateways frequently have an eye toward customer satisfaction and the desire to make their product better. To find out whether a gateway provider is inclined toward continual improvement, be sure find out:
- How aggressive are they in introducing newer functionality?
- Is their product keeping up with the market?
- Has the company produced any leading functionality recently?
How BlueSnap does it: BlueSnap employs an agile methodology because it’s our goal to get valuable updates into your hands quickly. We deploy a “nano” release in Production every other week, and four major releases a year. We firmly believe in continuous delivery of functionality in order to be competitive and deliver innovative solutions to our clients.
4. The scalability and availability of the platform.
Before you commit, it’s important to know the system has high availability, and can grow right along with your business. Evaluate these aspects by finding out:
- Is the infrastructure redundant?
- Do they deploy their solution in a high availability fashion?
- How does the gateway handle a network outage?
- Is the gateway scalable?
- How many data centers do they have and what is their business continuity plan?
- What is their uptime SLA?
How BlueSnap does it: BlueSnap runs hot-hot in two data centers (not hot-standby like most gateway providers). We deploy GEO load balancing by servicing the user from the nearest data center to their physical location. This gives us added flexibility to deploy our releases without having to bring the system down (same goes for maintenance). Our solution is deployed in high availability at all layers (including the network and ISPs) and is horizontally and vertically scalable.
Since gateways deal with transfer of money, security is paramount. Every developer should be concerned with the security of the gateway and the security level of the vendor. To evaluate this aspect ask about the following:
- Is the gateway provider PCI certified?
- Do they provide DDOS mitigation for their services?
- Do they provide any fraud-management capabilities within their solution?
- Do they have a security team focused on securing their application and infrastructure?
How BlueSnap does it: BlueSnap is PCI Level 1 certified. With that certification comes a heavy investment in security: centralized logging and monitoring, endpoint security, host intrusion detection, Intrusion Prevention System, security best practices, etc. But we also go beyond PCI requirements and deploy DDOS mitigation and Web Application Firewall. We also partner with Kount to provide the industry’s leading fraud engine as part of our solution.
Need more information?
Our BlueSnap Developer Hub was created with you in mind. You asked and we answered—which is why the Hub is, well, a hub of guides to get you started, advanced tutorials, code samples, and more. It also lets you experiment in a sandbox environment—without creating an account first. Check it out!